These notifications are in response to the General Data Protection Regulation (GDPR), a new regulation for managing the data of citizens of the European Union (EU), which went into effect on May 25th, 2018. If you’re not a resident of the EU and don’t typically do business with customers in the EU, you may wonder why you’re seeing so many updates about GDPR. Since the internet has created a global marketplace of online services, the websites you use every day are also likely being used by visitors worldwide. If you’re doing any data collection in a tool that could also be used for EU visitors, or if there’s a potential for EU visitors to be tracked by your website, you need to make sure you’re compliant.
What type of Google Analytics data is affected by GDPR?
When using Google Analytics, any time a visitor comes to your website, their interactions are logged via a cookie that stays on their device. Typically this cookie expires after 2 years and certain reporting dimensions become degraded outside of that 2-year period. Most of the high-level metrics related to the pages they visited and conversions they completed are retained indefinitely. However, the ability to see additional user data related to these visits will not be accessible outside of that timeframe. This means that you’ll be able to see the total number of Users for older date ranges, but you won’t be able to filter that data based on device, traffic source or whether the user was new or returning.
By default, you should not be including any personally identifiable information in your Google Analytics reporting.
Making sure you’re GDPR compliant when using Google Analytics
The short version is that you need to be upfront with visitors about how you are tracking them, and what you will do with that data. GDPR requires that visitors opt into receiving cookies through a manual process that is easily understood. So when a visitor arrives on your site for the first time, there needs to be some sort of obvious messaging and call to action to allow them to opt in. You also need to allow visitors to opt out of these cookies at any time.
The process of implementing this will vary based on how your website is built and hosted. Your development team should add an alert that is shown prior to the various cookies being triggered on your website. Once the user opts in to allow cookies, they should not see the message again, except if accessing the site on a new device.
Making sure your Google Analytics settings are compliant is also important. When you log into your Google Analytics account you’ll see a notification reminding you to update your Data Retention settings. You can either update right from the notification, or navigate to Admin > Property > Property Settings > Data Retention. From there you’ll be able to decide how long you want to retain user data (14, 26, 38, 50 months, or no expiration), and whether you want that time frame to restart whenever a visitor comes to your website.
What about Google Tag Manager?
Google Tag Manager allows you to place pixels which can drop tracking cookies for a variety of third parties, such as Facebook’s pixel which allows you to track the performance of your promoted posts, or DoubleClick conversion tags which monitor multiple conversion points for display and search campaigns. It’s imperative that your opt-in process includes all cookies that a visitor could potentially be exposed to on your website. Just like Google Analytics, you’ll need to give visitors a way to opt out of these cookies.
What should your next steps be?
- A good first step is determining how much of your traffic is affected by this new policy, which should inform how quickly you need to make updates. Your Google Analytics data can be sorted by country, showing the percentage of overall users who arrived from the 28 countries that comprise the European Union.